As the world becomes increasingly dependent on technology, the potential for data theft or system shutdown from a breach in cybersecurity looms large. IT professionals and law enforcement teams are scrambling to keep up with cyber criminals who are utilizing the latest sophisticated methodologies. Over the past year, 32% of businesses have been victims of a major cyber attack. Each year, the corporate world loses $388 billion dealing with, and recovering from, breaches in cybersecurity. The amount spent on remediating computer viruses alone has reached about $55 billion per year. While cyber criminals receive a lot of attention and generate splashy headlines, the threat coming from within an organization – whether malicious or not – may be greater.
In a Harvey Nash/KPMG survey, 4,500 CIOs and technology leaders from around the world indicate that the insider threat is the fastest growing security risk of all. Employees and contractors, who are often provided with access to a company’s network infrastructure without proper risk management training, pose a significant risk to businesses. While some employees act maliciously against their organization, many cybersecurity breaches are due to negligence or inadvertent error. In fact, 60% of businesses admit their employees have no knowledge of security risks.
Businesses which fail to communicate potential risks and how to defend against them are likely to experience threats to security due to human error. According to a 2016 Cybersecurity Intelligence Index published by IBM, 60% of all attacks were carried out by insiders. Of these attacks, three-quarters involved malicious intent, and one-quarter were inadvertent. Such security breaches may include accidentally posting sensitive information on the company’s public-facing website, emailing restricted information to the wrong party or improperly disposing of confidential records. For example, in 2016, an employee of the Federal Deposit Insurance Corp. (FDIC) downloaded sensitive information on a personal storage device putting data from 44,000 customers at risk. Human error may also include negligence when an employee ignores security protocols. In a 2013 survey, Google reported that 25 million Chrome warnings were ignored 70.2% of the time. In some of the cases, warnings were ignored because of a user’s’ lack of technical knowledge: These employees simply did not understand the technical language used in the warning.
According to cybersecurity experts, 90% of outside cyber attacks occur because an employee unwittingly provides their access credentials to hackers. Cyber criminals take advantage of insiders who are unaware of phishing techniques, often through forms on fake websites or links infected with malware, to steal a company’s sensitive information.
To safeguard a network, it is imperative to first identify potential vulnerabilities through a company-wide information security risk assessment. A business must be aware of the intricacies of their own network in order to guard against cyber breaches. Company leaders should have knowledge of what data must be protected, where this data resides on the network and who has access to it in real-time. Once vital and sensitive data is identified, access should be restricted to employees who have been properly vetted and are familiar with security protocols. When hiring technical employees and contractors, companies should invest in a professional third-party security service to conduct a thorough and comprehensive background check before they are given clearance to work within a business’s infrastructure.
Once hired, mandatory and frequent training should be offered to remind employees about cybersecurity risks and the consequences of violating security protocols. Training may include insight into the damage security breaches pose to the company as well as how the employee may be penalized for negligence. Security training should include a discussion on the risks of taking confidential information out of the office—via laptops or personal storage devices—where it can be stolen from cars and homes. The disposal and sharing of sensitive information can also be addressed.
Finally, when an employee leaves the company, access to the system should be immediately disabled. Ideally, an automatic data wipe is triggered when the employee is deactivated to prevent them from logging back into the system and accessing company data, especially on cloud services that do not require frequent authentication.
With a rapidly changing cyber criminal landscape, static assessments, stale employee training and protocols will not keep up with the dynamics of cybersecurity today. Training and system evaluation must be ongoing and respond to the ever-changing environment.